Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Xero signature failed on verification. #1

Open
taitran6879 opened this issue May 8, 2018 · 5 comments
Open

Xero signature failed on verification. #1

taitran6879 opened this issue May 8, 2018 · 5 comments

Comments

@taitran6879
Copy link

Hello, my name is Tai.

Based on the sample here I create an receiver for webhooks, using ngrok and dot net core 2.
After encode the payload with webhook key, i got the following generated signature:
BjzNbYUfrzg4g8wxm+dKHaZVrKxr2m75E296fUbD1E4=

But in the request of webhook, i have this signature as:
/jzNbYUfrzg4g8wxm+dKHaZVrKxr2m75E296fUbD1E4=

Here's the full payload body:
`POST /webhooks HTTP/1.1
Host: 3099768b.ngrok.io
Accept: /
Accept-Encoding: gzip,deflate
Content-Type: application/json; charset=utf-8
x-xero-signature: /jzNbYUfrzg4g8wxm+dKHaZVrKxr2m75E296fUbD1E4=
Content-Length: 95
X-Forwarded-Proto: https
X-Forwarded-For: 34.233.225.118

{"events":[],"firstEventSequence": 0,"lastEventSequence": 0, "entropy": "LUWDSUDGSWNZVALZXBEV"}`

Here's the code for generating signature with given webhooks key:

public bool VerifySignature(string payload, string signatureHeader)
        {
            var generatedSignature = GenerateSignature(
                "LR+QgKlbRciIPYpi65tTKLaZ3FzLLofCNEQWrRXqWXJeDFrfexzfVI9SmnVuCWDJ4jnjHB9ECtOyxZSofRxwWw==",
                payload);

            return generatedSignature == signatureHeader;
        }

        public string GenerateSignature(string signingKey, string dataToHash)
        {
            using (var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(signingKey)))
            {
                var messageBytes = Encoding.UTF8.GetBytes(dataToHash);
                var hash = hmac.ComputeHash(messageBytes);
                return Convert.ToBase64String(hash);
            }
        }

Please help me to check whether i'm doing wrong or something, why the generated signature and the x-xero-signature only different in 1 character ? It works fine for me last week : (. Thanks!
@AllenDigital
Copy link

I have the same issue. The signature is out by 1 character compared to the hash result.

@AllenDigital
Copy link

I believe this is the answer:

https://community.xero.com/developer/discussion/64820912

Xero on the initial ITR will send some signatures that are correct and some that are incorrect. If you also return a body the ITR will fail.

@taitran6879
Copy link
Author

@AllenDigital wow, I didn't expect to have an answer here. Thanks!
So, the ITR has a chance sending incorrect signature, I'm i right ?

@AllenDigital
Copy link

Correct. They send an incorrect ITR first and check that you respond with a 401 and no body within 5 seconds. If that happens correctly, they will send a correctly signed header for which you must again respond in 5 seconds with no body and a 200. They are testing to make sure you implemented the ITR correctly before sending correctly signed requests.

@taitran6879
Copy link
Author

Wow, thanks for the clarification. Never thought of this double check approach, which caused me struggle for few weeks. I think i can proceed with Xero webhook receiver now.

Thanks @AllenDigital !!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@taitran6879 @AllenDigital